Introduction

1. Online Cryptography Course Dan Boneh Collision resistance Introduction

2. Recap: message integrity So far, four MAC constructions: ECBC-MAC, CMAC : commonly used with AES (e.g. 802.11i) NMAC : basis of HMAC (this segment) PMAC: a parallel MAC Carter-Wegman MAC: built from a fast one-time MAC PRFs randomized MAC This module: MACs from collision resistance.

3. Collision Resistance Let H: M T be a hash function( |M| >> |T| ) A collision for H is a pair m0 , m1  M such that: H(m0) = H(m1) and m0  m1 A function H is collision resistant if for all (explicit) “eff”algs. A: AdvCR[A,H] = Pr[ A outputs collision for H] is “neg”. Example: SHA-256 (outputs 256 bits)

4. MACs from Collision Resistance Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES) Let H: Mbig M Def: Ibig = (Sbig , Vbig ) over (K, Mbig, T) as: Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t) Thm: If I is a secure MAC and H is collision resistant then Ibig is a secure MAC. Example: S(k,m) = AES2-block-cbc(k, SHA-256(m)) is a secure MAC.

5. MACs from Collision Resistance Sbig(k, m) = S(k, H(m)) ; Vbig(k, m, t) = V(k, H(m), t) Collision resistance is necessary for security: Suppose adversary can find m0  m1s.t. H(m0) = H(m1). Then: Sbigis insecure under a 1-chosen msg attack step 1: adversary asks for t ⟵S(k, m0) step 2: output (m1 , t) as forgery

6. Protecting file integrity using C.R. hash Software packages: When user downloads package, can verify that contents are valid H collision resistant ⇒ attacker cannot modify package without detection no key needed (public verifiability), but requires read-only space read-onlypublic space package name package name package name F1 F2 Fn ⋯ H(F2) H(F1) H(Fn)

7. End of Segment